Sign In | Register
ThreatExpert: System Overview
This overview describes what ThreatExpert is and how you can use this system to minimize the impact of threat infections discovered on your network.
What is ThreatExpert?
ThreatExpert is an innovative system of providing a rapid, detailed description and analysis of the behavioral effects and changes that a threat makes to a computer’s operating system upon infection. System administrators and researchers can use this information to minimize the impact of a threat infection on a computer or network.

Threats can end up on a computer from numerous sources, via e-mail, using chat programs such as Messenger or IRC programs, or by browsing sites containing malware on the Internet. Whilst the presence of a threat file on a computer does not necessarily compromise the computer itself, there are several mechanisms by which it can be run without the user’s knowledge. Once run, the threat infection can result in unexpected computer behavior.

When infections are detected within an organization’s network, it is the role of system administrators to identify the source of the infections and remove them as quickly as possible. Infected computers on a network can result in severe losses due to communication problems through impaired network and Internet access, and the unauthorized release of confidential information outside the organization.

When new suspected threat files are identified, system administrators can send these files to an Internet security company, such as an anti-virus or anti-malware vendor, for analysis. These companies investigate the threats and sometime later, possibly ranging from a few up to 48 hours later, depending on the complexity of the threat; provide updated database definitions to remove them. In some circumstances, if the threat warrants additional research, a detailed description of it is subsequently posted on the Internet.

Nevertheless, the downtime between identifying the relevant threat files and receiving a database update to remove the infection can result in severe financial losses to an organization.

This is where ThreatExpert steps in. ThreatExpert takes a threat file, places it in a self-contained simulated virtual environment, deliberately executes the threat in this environment and then monitors its behavior. A combination of file, Windows Registry and memory snapshots are recorded, in addition to a series of specific ‘hooks’ that intercept communication routes typically exploited by threat infections. These hooks ‘deceive’ the threat into communicating across a simulated network, whereas the threat’s communication actions are actually being recorded in detail by ThreatExpert. Using this invaluable recorded data, a detailed report is generated, consisting of file and Windows Registry changes, memory dump analyses, and other important system activities caused by the threat.

An analogy to ThreatExpert is that of a ‘sting operation’ set up by a law enforcement organization to catch a criminal suspect in the act of a specific crime. In successful sting operations, the suspect commits the crime under deception, allowing the law enforcement organization to monitor their very movements and determine if they are the culprit.

ThreatExpert is capable of providing a detailed analysis report of a threat within a matter or minutes. This information could prove invaluable to system administrators who can use it to initiate rapid abatement strategies on new infections before Internet security companies respond with updated database definitions that remove the threats.
How do you submit files to ThreatExpert?
Suspected threats can be submitted to ThreatExpert through the web submission form.
All that is required for the submission of a suspected threat to ThreatExpert is the threat executable or dll file and a valid e-mail address.
After submitting your file, the ThreatExpert system processes the suspected threat and sends its detailed report on it to your supplied e-mail address. This usually occurs within a matter of minutes. However, depending on demands on the ThreatExpert system, several more minutes may be required in order for your submission to be processed.
How do you read the ThreatExpert report?
When the Threat Export threat report arrives in your e-mail Inbox, it is provided as a zipped attachment with the password ‘threatexpert’. Some Threat Expert reports may contain a representation of code that some Internet security software may perceive as potentially malicious. Hence, zipping these reports with a password is a convenient method of preventing these applications from deleting the report attachment before it arrives in your Inbox. Please note that Threat Export reports are not malicious, and any malicious code representations they contain are rendered harmless.

The Threat Export report is provided in Microsoft MHTML format, which is readily viewable in Windows Internet Explorer. The report is divided into several sections covering specific exploit behaviors, file and registry changes, the presence of hidden files and rootkits and the country of origin of the threat. Not all information may be available on a threat, such as the country of origin, but ThreatExpert comprehensively lists all threat information that could possibly be derived.

A Threat Export report is divided into a number of sections:
  • Submission Summary

    • Submission details – Contains information on the date and time when the ThreatExpert analysis commenced, the time taken to analyze the threat file and additional information about the threat file.

    • Summary of the findings – Lists details that describe the behavior of the threat, such as:

      • how it affects the operating system
      • what network capabilities it possesses
      • what known exploits it may be employing in its replication mechanism

    Note that this subsection does not display if the file submitted does not possess any of these characteristics. Furthermore, it is highly likely that the submitted file was not a threat.

  • Technical Details (only some of these sections may be listed depending on the nature of the threat)

    • File System Modifications – Lists files, hidden files, alternate data streams and directories that were added to, deleted from or modified on the file system by the threat.

    • Memory Modifications – Lists processes, hidden processes, injected memory pages, modules, services, hooks and drivers that were added to or modified in memory by the threat.

    • Registry Modifications – Lists keys and values, including hidden keys and values that were added to, deleted from or modified in the Windows Registry by the threat.

    • Outbound traffic (potentially malicious) – Lists all types of outbound traffic attempts instigated by the threat, including a description of the traffic, where available.

    • Heuristics Analysis – Lists additional information derived from the analysis of the contents of memory and intercepted traffic. These findings reflect the capabilities of a threat to perform specific malicious activities such as the termination of other security-related processes, details on replication mechanisms, and keylogging functionality.

    • Other details – Lists a range of other miscellaneous information not reported in the other sections of the ThreatExpert report, such as country of origin, ports opened by the threat, and other details from a range of Windows API calls made by the threat.

    • Generated SMTP traffic – Lists details on outbound e-mail traffic, including details on senders, recipients, subject fields, attachments and the body fields of messages

This detailed report is sufficient for a system administrator to utilize in order to minimize the impact of a new threat infecting their network in the shortest possible time, and it can also be used to provide a second opinion on threat analyses that have been conducted by other sources.